=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN369
_____________________________________________________________________

DATE                      : 28/09/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows with CA ARCserve Backup for Laptops
                                       and Desktops.

======================================================================


===========================================================================
AA-2007.0081                  AUSCERT Advisory

                                    [Win]
        CA ARCserve Backup for Laptops and Desktops contain Multiple
                           Server Vulnerabilities
                              25 September 2007
- 
---------------------------------------------------------------------------

         AusCERT Advisory Summary
         ------------------------

Product:              CA ARCserve Backup for Laptops and Desktops
                       CA Desktop Management Suite
                       CA Protection Suites
Operating System:     Windows 2000
                       Windows Server 2003
Impact:               Administrator Compromise
                       Increased Privileges
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-3216 CVE-2007-5003 CVE-2007-5004
                       CVE-2007-5005 CVE-2007-5006

Original Bulletin:
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp


OVERVIEW:

	Several vulnerabilities exist in CA ARCserve Backup for Laptops and
         Desktops, CA Desktop Management Suite and CA Protection Suites 
which
         may allow unauthenticated remote attacker to gain complete control
         over the backup server.


IMPACT:

          o CVE-2007-3216 and CVE-2007-5003: describes several stack and 
heap
            based buffer overflows, the most critical of which in the
            GetUserInfo and rxrLogin and could result in the execution 
of of
            arbitrary code. All of these vulnerabilties, with the 
exception of
            the rxrLogin overflow require authenticated access. For more
            information, see the iDefense advisory [1].

          o CVE-2007-5004 and CVE-2007-5005: describes vulnerabilities 
in the
            authentication and RPC functionality which may result in the 
remote
            execution of arbitrary code or the unauthenticated uploading of
            arbitrary files, respectively. eEye have released an 
advisory [2]
            describing these vulnerabilities.

          o CVE-2007-5006: describes a vulnerability which may allow a
            unauthorised remote client to execute privileged administrative
            commands including adding or deleting users, uploading 
arbitrary
            files and initiating file restoration on clients. More 
information
            can be found in the iDefense advisory [3].


MITIGATION:

	Updates and resolution details are available from CA [4].


REFERENCES:

	[1] iDefense - CA ARCServe Backup for Laptops and Desktops Multiple
             Buffer Overflow Vulnerabilities
 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599

	[2] eEye - Multiple Vulnerabilities in CA ARCserve for Laptops &
             Desktops
 
http://research.eeye.com/html/advisories/published/AD20070920.html

	[3] iDefense - CA ARCserve Backup for Laptops and Desktops Authentication
             Bypass Vulnerability
 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=598

	[4] CA ARCserve Backup for Laptops and Desktops Server Security Notice
 
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The 
decision to
follow or act on information or advice contained in this security 
bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or 
attacked in
any way, we encourage you to let us know by completing the secure 
National IT
Incident Reporting Form at:

         http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                 AusCERT personnel answer during Queensland business hours
                 which are GMT+10:00 (AEST).
                 On call after hours for member emergencies only.
===========================================================================



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================